Re: How HTTP 2.0 mandatory security will actually reduce my personal security from Roberto Peon on 2013-11-15 (ietf-http-wg@w3.org from October to December 2013)

From: Roberto Peon <grmocg@gmail.com>
Date: Thu, 14 Nov 2013 23:32:23 -0800
To: Nicolas Mailhot <nicolas.mailhot@laposte.net>
Cc: Bruce Perens <bruce@perens.com>, HTTP Working Group <ietf-http-wg@w3.org>
Message-ID: <CAP+FsNc7cDRjS1D=aQpQXsqmDmu6dBvnTHrtKzK6MpVc06j9yA@mail.gmail.com>

For 1,2: How is this not orthogonal to the rest of the discussion?
For 3: I'm assuming you mean because the data is encrypted. You can MITM
this.

Just to be sure we're all on the same page here (because it seems that
we're not):.
  As I understand it, the proposal is:
    For web activity on the "open internet", if the scheme is https,
attempt to use http/2 over an encrypted, authenticated channel.
    For web activity on the "open internet", if the scheme is http, use
http/1 over an unencrypted, plaintext channel.
    For activity on a private network: use any combination of
{authenticated, unauthenticated}{encrypted, unencrypted}{http2,http1} you
desire.

Is there an objection to this?
-=R


On Thu, Nov 14, 2013 at 11:16 PM, Nicolas Mailhot <
nicolas.mailhot@laposte.net> wrote:

>
> Le Ven 15 novembre 2013 07:57, Roberto Peon a écrit :
> > What is your threat model?
>
> The threat model is
> 1. developer that makes information leak trough incompetence, laziness,
> sloppiness or greed (cf all the info your average android app wants to
> access)
> 2. attacker that does not need to penetrate target anymore can just
> collect the leaked info at endpoints (see also: Snowden)
> 3. protocol that prevents anyone doing anything about it by default
>
> --
> Nicolas Mailhot
>
>

Received on Friday, 15 November 2013 07:32:50 UTC